IT AUDIT Chapter one

Chapter one The Process of Auditing Information Systems 1.1 Introduction The use of computers and computer based information systems have pervaded deep and wide in every modern day organization. An organization must exercise control over these computer based information systems because the cost of errors and irregularities that may arise in these systems can be high and can even challenge the very existence of the organization. An organizations ability to survive can be severely undermined through corruption or destruction of its database; decision making errors caused by poor-quality information systems; losses incurred through computer abuses; loss of computer assets and their control on how the computers are used within the organization. Therefore managements across the world have deployed specialized auditors to audit their information systems to find out gaps between declared policies and actual use and shortcomings in the information system design and usage. 1.2 Definition Information Systems Auditing Information Systems Audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively and uses the resources efficiently. The IS Auditor should see that not only adequate internal controls exist in the system but they also wok effectively to ensure results and achieve objectives. Internal controls should be commensurate with the risk assessed so as to reduce the impact of identified risks to acceptable levels. IT Auditors need to evaluate the adequacy of internal controls in computer systems to mitigate the risk of loss due to errors, fraud and other acts and disasters or incidents that cause the system to be unavailable An IS auditor is also responsible for assessing the strength and effectiveness of controls that are designed to protect information systems, and to ensure that audit engagements are planned, designed, and reviewed based on the assessed level of risk that irregular and illegal acts might occur. These acts could be material to the subject matter of the IS auditor’s report. The IS auditor is not qualified to determine whether an irregular, illegal, or erroneous act has occurred, but has the responsibility to report suspected acts to the appropriate parties. Determining whether information systems safeguard assets and maintaining data integrity are the primary objectives of an IS audit function. The IS auditor is ultimately responsible to senior management and to the audit committee of the board of directors. Before communicating the results to senior management, the IS auditor should discuss the findings with the management staff of the audited entity to gain agreement on the findings and to develop a course of corrective action. An internal audit department that organizationally reports exclusively to the chief financial officer (CFO) rather than to an audit committee is very likely to have its audit independence questioned. 1.3 Auditing Standards for Information Systems Auditing The specialized nature of Information Systems auditing and the professional skills and credibility necessary to perform such audits, require standards that would apply specifically to IS auditing. Standards, procedures and guidelines have been issued by various institutions, which discuss the way the auditor should go about auditing Information Systems. In line with such developments Supreme Audit Institution of India for instance, has declared a mission to adopt and evolve standards, guidelines and best practices for auditing in a computerized environment. This will lend credibility and clarity in conducting audit in computerized environment. The framework for the IS Auditing Standards provides multiple levels of guidance. Standards provide a framework for all audits and auditors and define the mandatory requirements of the audit. They are broad statement of auditors’ responsibilities and ensure that auditors have the competence, integrity, objectivity and independence in planning, conducting and reporting on their work. Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure. Procedures provide examples of procedures an IS auditor might follow in an audit engagement. It provides information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing Guidelines and Procedures is to provide further information on how to comply with the IS Auditing Standards. While conducting Information System Audit the auditor should consider the issues of confidentiality, integrity and availability (CIA) and his work should be guided by international or respective national standards. These may include INTOSAI Auditing Standards, International Federation of Accountants (IFAC) Auditing Standards, and International standards of professional audit institutions such as Information Systems Audit and Control Association (ISACA) and Institute of Internal auditors (IIA) and national auditing standards of SAI member countries. 1.4 ISACA IS Auditing Standards and Guidelines and Code of Professional Ethics Information Systems Audit and Control Association (ISACA) has laid down the following generic requirements for IS audit which are applicable to all categories of IS audits – The responsibility, authority and accountability of the information systems audit function are to be appropriately documented in an audit. The information systems auditor is to be independent of the auditee in attitude and appearance. The information systems auditor is to adhere to the ‘Code of Professional Ethics’. Due professional care and observance of applicable professional auditing standards are to be exercised. The information systems auditor is to be technically competent, having the skills and knowledge necessary to perform the auditor's work and has to maintain technical competence through continuing professional education. The information systems auditor is to plan his work to address the audit objectives. Information systems audit staff is to be appropriately supervised so as to ensure that audit objectives and applicable professional auditing standards are met. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of sufficient, reliable, relevant and useful evidence. The information systems auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of audit work. The information systems auditor follow-up action timely taken on previous relevant findings. CONTROL OBJECTIVES FOR INFORMATION RELATED TECHNOLOGY (COBIT) The Information Systems Audit and control Foundation (ISACF) developed the Control Objectives for Information and related Technology (COBIT). COBIT is a framework of generally applicable information systems security and control practices for IT control. The framework allows (1) Management to benchmark the security and control practices of IT environments, (2) Users of IT services to be assured that adequate security and control exist, and (3) Auditors to substantiate their opinions on internal control and to advise on IT security and control matters. 1.5.1 The framework addresses the issue of control from three vantage points, or dimensions: 1. Business Objectives. To satisfy business objectives, information must conform to certain criteria that COBIT refers to as business requirements for information. The criteria are divided into seven distinct yet overlapping categories that map into the COSO objectives: effectiveness (relevant, pertinent, and timely), efficiency, confidentiality, integrity, availability, compliance with legal requirements, and reliability. 2. IT resources, while include people, application systems, technology, facilities, and data. 3. IT processes, which are broken into four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring. COBIT, which consolidates standards from 36 different sources into a single framework, is having a big impact on the information systems profession. It is helping managers learn how to balance risk and control investment in an information system environment. It provides users with greater assurance that the security and IT controls provided by internal and third parties are adequate. It guides auditors as they substantiate their opinions and as they provide advice to management on internal controls. 1.6. INFORMATION SYSTEMS CONTROL TECHNIQUES The basic purpose of information system controls in an organization is to ensure that the business objectives are achieved and undesired risk events are prevented or detected and corrected. This is achieved by designing an effective information control framework, which comprise policies, procedures, practices, and organization structure that gives reasonable assurances that the business objectives will be achieved. When reviewing a client’s control systems, the auditor will be able to identify three components of internal control. Each component is aimed at achieving different objectives. The information system auditor will be most familiar with: Accounting controls, i.e. those controls which are intended to safeguard the client’s assets and ensure the reliability of the financial records; Operational controls: These deal with the day to day operations, functions and activities to ensure that the operational activities are contributing to business objectives; Administrative controls: These are concerned with ensuring efficiency and compliance with management policies, including the operational controls. 1.6.1 Auditor’s categorisation of controls When we look at financial or accounting controls we examine them to see if they reduce the likelihood of the financial statements containing material errors. We put the controls into categories depending on when they act. We categorise the controls into following four groups: Preventive Controls: Preventive controls are those inputs, which are designed to prevent an error, omission or malicious act occurring. An example of a preventive control is the use of passwords to gain access to a financial system. The broad characteristics of preventive controls are: A clear-cut understanding about the vulnerabilities of the asset Understanding probable threats Provision of necessary controls for probable threats from materializing Any control can be implemented in both a manual and computerized environment for the same purpose. It is the implementation methodology that may differ from one environment to the other. Now let us discuss the examples of preventive controls and how the same control is implemented in different environments. Examples of preventive controls Employ qualified personnel Segregation of duties Access control Vaccination against diseases Documentation Prescribing appropriate books for a course Training and retraining of staff Authorization of transaction Validation, edit checks in the application Firewalls Anti-virus software (sometimes this acts like a corrective control also), etc Passwords The above list in no way is exhaustive, but is a mix of manual and computerized, preventive controls. Detective Control: These controls are designed to detect errors, omissions or malicious acts that occur and report the occurrence. An example of a detective control would be the use of automatic expenditure profiling where management gets regular reports of spend to date against profiled spend. The main characteristics of such controls are as follows: Clear understanding of lawful activities so that anything which deviates from these is reported as unlawful, malicious, etc. An established mechanism to refer the reported unlawful activities to the appropriate person or group Interaction with the preventive control to prevent such acts from occurring Surprise checks by supervisor Examples of detective controls include: Hash totals Check points in production jobs Echo control in telecommunications Error message over tape label Duplicate checking of calculations Periodic performance reporting with variances Past-due accounts report The internal audit functions Intrusion detection system Cash counts and bank reconciliation Monitoring expenditures against budgeted amount Corrective Controls: Corrective controls are designed to reduce the impact or correct an error once it has been detected. Corrective controls may include the use of default dates on invoices where an operator has tried to enter the incorrect date. A business continuity plan is considered to be a significant corrective control. The main characteristics of the corrective controls are: Minimize the impact of the threat Identify the cause of the problem Remedy problems discovered by detective control Get feedback from preventive and detective controls Correct error arising from a problem Modify the processing systems to minimize future occurrences of the problem Examples of Corrective Controls Contingency planning Backup procedure Rerun procedures Treatment procedures for a disease Change input value to an application system Investigate budget variance and report violations. Compensatory Controls: Controls are basically designed to reduce the probability of threats, which can exploit the vulnerabilities of an asset and cause a loss to that asset. While designing the appropriate control one thing should be kept in mind—the cost of the lock should not be more than the cost of the assets it protects. Sometimes while designing and implementing controls, organizations, because of different constraints like financial, administrative or operational, may not be able to implement appropriate controls. In such a scenario, there should be adequate compensatory measures which may although not be as efficient as the appropriate control, can indubitably reduce the probability of threats to the assets. Such measures are called compensatory controls. 1.7 Audit Trails: Audit trails are logs that can be designed to record activity at the system, application, and user level. When properly implemented, audit trails provide an important detective control to help accomplish security policy objectives. Many operating systems allow management to select the level of auditing to be provided by the system. This determines which events will be recorded in the log. An effective audit policy will capture all significant events without cluttering or messing the log with trivial activity. Audit Trail Objectives: Audit trails can be used to support security objectives in three ways: a. Detecting unauthorized access to the system, b. Facilitating the reconstruction of events, and c. Promoting personal accountability. 1.7.1 Detecting Unauthorized Access: Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls. A real-time audit trail can also be used to report on changes in system performance that may indicate infestation by a virus or worm. Depending upon how much activity is being logged and reviewed; real-time detection can impose a significant overhead on the operating system, which can degrade operational performance. After-the-fact detection logs can be stored electronically and reviewed periodically or as needed. When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed. 1.7.2 Reconstructing Events: Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors. Knowledge of the conditions that existed at the time of a system failure can be used to assign responsibility and to avoid similar situations in the future. Audit trail analysis also plays an important role in accounting control. For example, by maintaining a record of all changes to account balances, the audit trail can be used to reconstruct accounting data files that were corrupted by a system failure. 1.7.3 Personal Accountability: Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive control that can be used to influence behavior. Individual are likely to violate an organisation’s security policy if they know that their actions are not recorded in an audit log. 1.8 User Controls: Validity of computer application systems output lies ultimately with the user. The user is responsible for data submission and for correction of errors that are the result of inaccurately submitted data. User controls over data being processed should include: a. User instruction manuals defining responsibilities and actions; b. Input controls that identify all data entering the processing cycle; c. Processing control information that includes edits, error handling, audit trails and master file changes; d. Output controls that define how to verify the correctness of the reports; e. Separation of duties between preparing the input and balancing the output 1.9 Error Correction: Identify all data and processing errors that can be identified, either through edits or routine processing. It also determine the impact data and processing errors have on processing (errors must be corrected before processing continues, errors are segregated from processing so good transactions may continue to be processed while errors are corrected); Determine if errors are segregated onto a suspense file. Determine if the error suspense file is cumulative or noncumulative; Review the error reports to determine if they are of reasonable length; Determine how errors are corrected; Determine if the corrected transactions are authorized; Verify that the corrected transactions are reintroduced into mainstream processing either at the original point of input or through a special error correction process: Determine if the error correction process removes the items from the error suspense file: Determine the timeliness of error correction; Identify how end-users monitor the remaining errors and conduct timely further investigations; Is there an appropriate separation of duties (custody, authorization, recording, and periodic reconciliations) for those authorized to update data?; Determine if all reconciliation and error correction procedures are documented in the end-user documentation; Is an exception report generated for long-outstanding error transactions, with an aging analysis? 1.10. Risk-Based IS Audit Strategy and Objectives One of the significant challenges facing auditors today is what to audit. The tighter integration of information systems and business processes, and the continued complexity of these systems, combined with limited resources and the ever-increasing pace of business, make auditing everything an impossible task. One of the techniques that management and auditors can use to allocate limited audit resources is a risk-based audit approach. The risk-based audit approach helps ensure that appropriate levels of protection are applied to information assets. A benefit of the risk-based approach to audit planning is that auditing resources are allocated to the areas of highest concern. Aligning Controls with the Organization’s Business Objectives IT governance provides structure to functions and processes within the IT organization. Because of the critical dependency of business on its information systems, the governance structure must ensure that the IT organizational strategy is aligned with the business strategy. The implementation of the IT strategy will help ensure that IT processes contain the necessary controls to reduce risk to the organization and its business objectives. IT resources should be used responsibly, and IT risks should be managed appropriately. 1.11 Steering Committee The organization should have an IT steering committee to ensure that the IS department’s strategy directly aligns with the organization’s corporate mission and objectives and efficient use of IT resources. The IT steering committee is a formal organization usually composed of senior managers representing the business areas, with duties outlined in a charter. The charter outlines what authority and responsibilities are assigned to the committee and are a strong indicator that senior management supports the steering committee. One of the functions of the IT steering committee is to keep detailed minutes of the meeting, to document both procedural functions of the committee and its decisions. The committee is responsible for ensuring that the organization’s leadership (board of directors and senior management) is informed in a timely manner via the minutes and additional reporting, if required. 1.12 Segregation of Duties Segregation of duties is an important means by which fraudulent or malicious acts can be discouraged or prevented. A common example of improper segregation of duties is allowing a single person within operations or the help desk to have the responsibility of ordering hardware/software, receiving and managing asset or inventory control. This type of structure could allow a single person to order and receive IT equipment without adding it to the asset-control system and, therefore, creates the opportunity for theft of equipment. In small organizations in which proper segregation of duties is not possible, the IT department must set up compensating controls. In this instance, the IT department could institute a daily/weekly review of all orders by a manager, to ensure that equipment is being added to the asset-control system. 1.13 IS Auditing Practices and Techniques An auditor can perform a variety of audit types. Our primary topic is IT auditing, but it is important to understand the procedures associated with each type of audit: Financial audit— A financial audit often involves detailed, substantive testing. This kind of audit relates to information integrity and reliability; its purpose is to assess the correctness of the organization’s financial statements. Operation audit— An operation audit is designed to evaluate the internal control structure in a given process or area. IS audits of application controls or logical security systems are examples of operation audits. Integrated audit— An integrated audit combines the testing of controls and substantive testing for the completeness, validity, and integrity of the information. An SAS 94 audit is an example of an integrated audit. Administrative audit— This audit assesses issues related to the efficiency of operation productivity within an organization. Information systems audit— This process collects and evaluates evidence to determine whether information systems and related resources adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have in effect internal controls that provide reasonable assurance that business, operation, and control objectives will be met. Compliance audit— Compliance auditing involves an integrated series of activities focused on investigating and confirming whether products or services comply with internal policy or external guidelines or laws. Sarbanes-Oxley and the Health Insurance Portability Act are examples of external laws that require compliance. 1.14 Audit Planning and Management Techniques The IS auditor should follow an IT audit life cycle in the planning, assessment, and execution of the audit. The audit life cycle should include the following steps: 1. Plan 2. Assess risk 3. Prepare and plan an audit program 4. Conduct a preliminary review of the audit area/subject 5. Evaluate the audit area/subject 6. Gather evidence 7. Conduct compliance testing 8. Conduct substantive testing 9. Form conclusions 10. Deliver audit opinion (communicate results) 11. Follow up 1.15 Information Systems Audits During an information systems audit, the IS auditor should review the internal control environment of information systems and the use of these systems. The IS audits usually evaluate processing controls, system input/output backup and recovery plans, and security. Four main types of audits are used in reviewing information systems: Attestation— The auditor provides assurance on something for which the client is responsible. This type of audit is considered a compliance audit and can ensure internal or external compliance. Finding and recommendation— this is a consulting or advisory engagement in which the auditor performs a less structured type of engagement, such as a systems implementation engagement. SAS 94— This type of audit is referred to as an integrated audit. Typically, this is part of a regular financial audit, in which the auditor must evaluate controls around a client’s information system and the entries that are processed through that system. 1.16 Audit Conclusions After reviewing documentation, performing testing, and completing interviews and observations, the auditor is ready to form conclusions. This process involves identifying information that is material to the audit scope and issues that represent substantial control weaknesses. Per ISACA Guideline 50, materiality in an IT audit is determined in a qualitative manner as it relates to controls around the information system. A control is deemed material if its absence prevents control objectives from being met; the auditor determines materiality for an information system or operation that processes financial transactions by assessing the value of the assets controlled by the system or the volume of transactions processed through the system. As a part of the report conclusions, the auditor must draft a management letter; any material misstatements in the financial statements should be reported to management immediately. Management then evaluates responses to the findings, states corrective actions to be taken, and determines the timing for implementing these anticipated corrective actions. 1.17 Control Objectives and Controls Related to IS (Such as Preventative and Detective) The combination of organizational structure, policies and procedures, and best practices that are implemented to reduce risk is called internal controls. Internal controls are used by the organization to provide a reasonable assurance that the business objectives will be met and risk will be prevented, detected, or corrected. Preventative control objectives detect problems before they arise, monitor both operations and inputs, and prevent errors, omissions, or malicious acts from occurring. Using an access-control system (think user/password combination) is an example of a preventative control. Detective controls are used to detect and report the occurrence of an error, omission, or malicious act. Using audit trails is an example of a detective control. Corrective controls minimize the impact of threat, identify the cause of a problem, and modify the system to minimize future occurrences of the problem. Using a rollback facility in a database environment is an example of a corrective control. When evaluating the collective effect of preventative, detective, or corrective controls within a process, an IS auditor should be aware of the point at which controls are exercised as data flows through the system. Internal controls operate at all levels of the organization and should be continuously monitored to ensure their effectiveness. The auditor should be primarily concerned with the overall strength of the control or combination of controls to ensure that it meets its stated objective. Control procedures can be manual or automated and generally fall into three categories: Reviewing the Audit An important step before developing the audit conclusions is to evaluate the evidence gathered for strengths and weaknesses. The auditor must make judgments based primarily on experience. This review process is critical to the outcome of the findings and recommendations. ISACA’s standard for IS auditing 030.020, Professional Care guides the auditor while performing the audit, along with the determination of strengths and weaknesses of the evidence. The IS auditor might need a high degree of specialized technical proficiency and might need to provide consulting or advisory services with regard to the findings and recommendations. Auditors do not produce an opinion; they simply provide a summary of the work performed in connection with the engagement. The IS auditor might provide the following services: Communicating Audit Results Caution - Internal auditors are encouraged to consult legal counsel in all matters involving legal issues as requirements may vary significantly in different jurisdictions. The guidance contained in IIA Practice Advisory is based primarily on the United States which is sometimes adopted in Ghana' legal system. IT auditors should exercise caution when including results and issuing opinions in audit communications and work papers regarding law and regulatory violations and other legal issues. Established policies and procedures regarding the handling of these matters and a close working relationship with other appropriate areas (legal counsel, compliance, etc.) are strongly encouraged. Internal auditors are required to gather evidence, make analytical judgments, report their results, and ensure corrective action is taken. The IT auditors’ requirement for documenting audit records may conflict with legal counsel's desire not to leave discoverable evidence that could harm a defense. For example, even if an internal auditor conducts an investigation properly, the facts disclosed may harm the organization counsel's case. Proper planning and policy making is essential so that a sudden revelation does not place legal counsel and internal auditor at odds with one another. These policies should include role definition and methods of communication. The IT auditor and legal counsel should also foster an ethical and preventive perspective throughout the organization by sensitizing and educating management about the established policies. Internal auditors should consider the following, especially in connection with audits that may give rise to disclosing or communicating results to parties outside the organization